?
Solved

AD DNS - I can ping some ip's but not others

Posted on 2008-10-15
22
Medium Priority
?
1,009 Views
Last Modified: 2012-05-05
I have a AD forrest with 1 Domain and 7 Subdomains.
I'm using AD integrated DNS
One of my subdomains has 2 sites
I created a OU within the subdomain that houses all of the 2nd sites servers, users etc.
I can ping servers and workstations to all domains from the 2nd site, except for a few. I don't know what's stopping me from pinging our "internet filter" from this site. I can ping something within the same IP range, like 192.168.xx.11, but not 192.168.xx.12...

0
Comment
Question by:bernardb
  • 12
  • 10
22 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724786

You can't ping by IP address?

Or is it Name Resolution that's at fault? That is, if you run "nslookup <host>" does it reply?

Can you connect to other services on the server? Anything running as TCP can be tested with telnet <servername> <port>. For example, we can test a connection to an SMTP server with "telnet server 25", or a web server with "telnet server 80". In most cases a successful connection is shown by a blank screen, anything but an error message is good :)

Chris
0
 

Author Comment

by:bernardb
ID: 22724833
Also, from all other domains, when I ping the filter I get the following
filter.domain.com

when I ping from the problem site, I get

filter.subdomain.domain.com

it should be filter.domain.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724884

Does filter exist as a record in DNS in subdomain? Or does a wildcard exist (*)? Or is WINS forwarding enabled for subdomain?

I take it you get the wrong IP back in subdomain?

Chris
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:bernardb
ID: 22724923
I can't ping 192.168.xx.50 from this specific site, but I can from all other domains and sites.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724972

Then the problem isn't DNS, it's network level. Something is blocking ICMP, you need to check any Firewalls between the client and the server, and any firewalls running on the server.

Chris
0
 

Author Comment

by:bernardb
ID: 22725175
Could the following entries block ICMP?

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889

it's the only entries that are associated with the problem site

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725221

No, but they don't permit it either :)

Chris
0
 

Author Comment

by:bernardb
ID: 22725255
I may have missed the following I can ping and get the following from the other sites
ping 192.168.xx.50
I get good replies and it shows up as "filter.domain.com"

when I ping from the problem site, I get
ping filter.subdomain.domain.com
I get request time outs and it shows up as "filter.subdomain.com"

it should be filter.domain.com

Make sense? Hope I'm explaining fully
0
 

Author Comment

by:bernardb
ID: 22725301
Only one firewall...a PIX with the entries shown. No firewalls on the servers or clients...

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725316

But is the IP address returned from filter.subdomain.domain.com correct or not?

Take name resolution out and concentrate on the network layer if it is, if it's not we need to know why subdomain is giving a response for "filter".

Chris
0
 

Author Comment

by:bernardb
ID: 22725347
Yes, the IP address returned from filter.subdomain.domain.com is the correct IP.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725432

Okay, good :) I did want to be sure about that.

Can you telnet to port 8080 on the server? That will tell us if IP flows properly, if routing is correct.

Chris
0
 

Author Comment

by:bernardb
ID: 22725630
Telnet appears to fail with connection refused from all domains...I tried command line and Putty.

telnet 192.168.xx.50 8080 - connection refused, no matter what site or domain i'm trying it from

Putty, same thing...

But I can ping from the other domains and can't from this site....but telnet fails on all of them
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725683

Then TCP isn't flowing either. Tracert <ip> and see if the path looks correct?

If you have a number of firewalls inbetween the sites check the routing, check NAT and check the rule-set.

Chris
0
 

Author Comment

by:bernardb
ID: 22726139
The trace fails to this IP but not to the other. Only one firewall device...and the only connection to
10.203.xxx.50- it goes out my gateway to the service provider and then
U:\>tracert 10.203.xxx.50

Tracing route to iprism.xxxxxxx.org [10.203.xxx.50]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    20 ms    18 ms    34 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.
4]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The other trace to a server at the same location as the above appliance goes through fine.

U:\>tracert 10.203.xxx.45

Tracing route to chcsfp01.xxxxxx.org [10.203.xxx.45]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    18 ms    19 ms    18 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.7
4]
  3    20 ms    19 ms    19 ms  chcsfp01.xxxxxxx.org [10.203.xxx.45]

Trace complete.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22729599

Well it's going to the same gateway, can we check on h-67-100-228-74.nycmny83.covad.net?

Chris
0
 

Author Comment

by:bernardb
ID: 22741578
Covad says they will check, but it doesn't look like them...the Covad Tech couldn't specify, but he thinks it's a DNS issue He said  because I get a successful ping and trace to a server in the same subnet and location....I stumped at the moment
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22741790

But if the IP returned is the same, or you can't ping / trace when only using IP then DNS is completely out of the window. As soon as you get the IP back DNS is finished.

Chris
0
 

Author Comment

by:bernardb
ID: 22744213
So sorry for the delayed response...
So you say because it shows "Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:"...it eliminates DNS?


U:\>ping iprism

Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.203.xxx.50:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 22744255

If the IP is correct the DNS cannot be to blame because it's done it's job properly :)

That puts us back at troubleshooting the network level, because that shouldn't be remotely interested in the name used to access a resource.

Chris
0
 

Author Comment

by:bernardb
ID: 22745740
I will continue to troubleshoot...and keep you updated. Thanks for you help and if you can think of anything at the network level to check, I will.

Thanks again
0
 

Author Closing Comment

by:bernardb
ID: 31508941
Thank you for all of your help...The problem was my fault. The device was a internet filter located at another site. When filled out the network section, I left out a number.....I slowly went over each setting and noticed it...My apologies.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Resolve DNS query failed errors for Exchange
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question